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NETWORK USER AUTHENTICATION PROTOCOL 

CROSS-REFERENCES TO RELA TED APPLICATIONS 

5 This nonprovisional U.S. national application, filed under 35 U.S.C. 

§ 111(a), claims, under 37 C.F.R. § 1.78(a)(3), the benefit of the filing date of 
provisional U.S. national application no. 60/148,624, attorney docket no. 
SAR13431P, filed on 08/12/99 under 35 U.S.C. § 111(b), the entirety of which is 
incorporated herein by reference. 
10 Governn ^^Tit Tnterests 

This invention was at least partially supported by U.S. Army CECOM 
Government Contract No. DAAB07-97-C-D607. The government may have 
certain rights in this invention. 

BACKGROUND OF THE INVENTION 
15 Field of the Invention 

The present invention relates to computer networks and, in particular, 
to systems and methods for authentication of useris s access to the 

network. 

Description of the Relat^ Art 

20: Computer networks are widely used. These include private networks 

• siich as local-area networks ("LANs"), wide-area networks ("WANs''), and 
tfo The netWoirk consists of a variety of nodes, interconnected by 

transmission ^ be terminals and/pr personal: 

computers ("PCs") by which i a iiser gains access to the network. Other 
25 network nodes are functional such as routers , servers , and the like. 
: Various communications ^ medi a are used to interconnect the nodes of "ai.; 
network, such as fiber-optic cables, integrated Services Digital Network 
("ISDN"), wireless links; and the like. As will be u^ various nodes 

of a networked computer system may be connected through a variety of 
3 0 communication media. 

A given private network is typically maintained and operated by ai 
specific company, Where access to the network is limited to authorized users. 
In order to limit access to authorized users, networks are often configured 
to "authenticate" a user access the network, to ensure that the 
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user is an authorized user. The authentication procedure is thus designed 
to ensure that only authorized (authenticated) users are allowed to access the 
network. The simplest form of authentication requires a username or user 
ID, and password to gain access to a particular account. Authentication 

5 protocols can also be based on secretkey encryption or on public-key systems 
using digital signatures. In some networks, in order to maintain network 
access control, users are required to be periodically re-authenticatedto retain 
network access. ;(;:-The 'authenticatidn process authenticates an authorized 
user. The outcome of the authentication can be said to be successful if the 

1 0 user is successfully authenticated, i.e. authorized to access the network. The 
authentication fails if the user is not granted authorization to access the 
network. : 

Conventional authentication procedures, however, may be subject to 
infiltration by iihauthorized users* or other forms of "attack". The attack may 

15 permit substitute or false information to be inserted into the network,; or 
ddivered from the network, or it may otherwise permit the unauthorized 
user to g^in kcdess to the network/ further allowing them to perform a range 
of hostil^acts; If ^ resides in the memory of a 

network terminal, whether mobUe, wireless, or fixed, it may be possible for 

20 an unauthorized user to attack foe memory to acquire the authentication 
information, aind thus access to the system; 

Foive^ (i.e., wireless, mobile 

terminals), there may be opportunity for user terminals to fall into 
unauthorised hands in which the terminal memory may be attacked. If the 

25 hacker acquireis information stored in the memory of the 

tennihal j this may be used to gain unauthorized access of the network. Also 
some networks and authentication procedures are vulnerable tp so-called 
"man^n-the-middle" attacks. In tJiis kiriid of an attack, an unauthorized user 
interferes with the initial public key exchange, by intercepting the very first 

30 message to a n^w correspondent (e.g., from the terminal to some 
authentication server of the network) iand substituting a bogus public key for 

the genuine public key. 

& u se}^fa ^ir\ g" or peerrto^peer type network is often used. In such a 
network, all users are peers and there is no central network controller; 
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Rather, every computer (node) can share files and peripherals with all other 
computers on the network, given that all are granted access privileges. In 
such a network, because there is no dedicated, central network controller, 
authentication information is distributed to many terminals in the network 
5 and any terminal may be called on to authenticate a user. Since the 
authentication database is distributed, it is subject to a wider range of attacks 
than a network where there is a well-protected central authentication site. 
There is, therefore, a need for improved authentication systems and 
techniques which do not suffer the foregoing disadvantages and problems. 

10 . ' Summary 

In a peer-to-peer network having a plurality of user terminals, each 
capable of serving as a user authentication site for other terminals of the 
network and having an open side of a- firewaU^ahd>:a .secure side of the 
firewall, a method for authenticating a user. A user authentication database 

15 As stored in memories in the secure side of firs t and second terminals of the 
network. The first tenhinal receives a password from the user, and 
translates the password into an authentication encryption key for the us er . 
The first terminal generates: a first random ^ number^ encrypts the first 
random number with the authentication encryption; key to provide a first 
• 20 - encrypted message, and transmits the first encrypted message to the second 
terminal, which serves as a user authentication site for Ae first terminal. 
: The user authentication site decrypts the erier^ted first message to provide 
< the first random h number, which 

is transmitted to ttie first terihinal. The first teririihal combines and 

25 encrypts the first and second random numbers, w 

^ encryption key, to provide a second encrypted- message, TTie first terminal 
transmits the second encrypted message to ^ the user authentication 
which decrypts the ehciypted second message to provide the combined first 
and second random nuinbers. The user authentication site verifies that the 

30 first and second random numbers are correct^ and authenticates the user in 
accordance with this verification. 
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Brief Description of the Drawing s 

These and other features, aspects, and advantages of the present 
invention will become more fully apparent from the following description, 
appended claims, and accompanying drawings in which: 
5 Fig. 1 is a block diagram of a computer network in accordance with an 

embodiment of the present invention; and 

Fig. 2 is a flow chart illustrating the authentication protocol of the 
network of Fig. 1, in accordance with an embodiment of the present 
invention. 

10 Descaiptionofthel^efen^ 

The present invention provides an authentication protocol designed to 
prevent unauthorized entities from gaining access to a peier-to-peer network 
either by obtaining authentication information through communications 
attack or by gaining access to a network terminal. In the present invention, 

15 only information personally retained by an authorized; User may be used for 
authentication. Because the network is a peer-to^peer network, multiple 
terminals must store a user authentication database which: is distributed 
throughout the network. Some terminals of the network thus can double as 
a user terminal and as a user authentication site for another terminaLi T^ 

20 authentication protocol of the present invention ^rcferfs^a^ an 
unauthorized user gaining access; through a terminalp despite the 
authentication information stored on the terminal. : In ^ addition, the 
authentication protocol bf the present inveriti 
the-middlie attack. 

25 Referring now to Fig. 1, there is shown a block; diagr^ of a computer 

network system: 100 in accordant with an embodiment of the present 
invention; Network 100 includes a first user terminal llOj and a user 
authentication site 120, interconnected by a communications or transmission 
channel 125, which may be a LAN, fiber optic, wireLess, or other digital 

30 communications means. User terminal 110 maybe a PC at a fixed location, 
a remote PC connected to authentication site 120 by a telephone or other link, 
or a mobile unit connected by a wireless link. Terminal 110 contains a 
processor 117 and memory 112 which stores a local cbpy of a distributed user 
authentication database. User authentication site 120 may be ariothejr user 
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terminal, or a dedicated piece of hardware, a PC, or even a site manned by 
human operators. In an embodiment, network 100 comprises a plurality of 
user terminals which can also perform user authentication for other user 
terminals. Network 100 may also contain dedicated user terminals that 

5 cannot provide user authentication, and dedicated user authentication sites 
that are not user terminals. 

Each authorized user of network 100 is assigned a unique password, 
and an authentication encryption and decryption key pair. A given user's 
authentication encryption key is the outcome of applying a specified 

10 encryption-key generation algorithm to the user's password. The user- s 
authentication decryption key is the key that can decrypt messages encrypted 
using the user's authentication encryption key. These keys are used only for 
authentication and no other purpose, such as data ehcrj^tion/decryptibn. 
User authentication information for all authorized users of the network is 

15 maintained in a distributed user authentication database, which is : 
distributed among and stored on several user terminals of network 100, such 
as terminals 110, 120. The database contains authentication mfoiroatioii for 
each user, such as the user's authentication encryption and decryption keys, 
password, and other information about the usei% such as the user's; security 

20 clearance, authority to access the network (access authority). 

In some Embodiments, each user may also have a Smart Card with 
personal information pre-encrypted with the user's individual authentication 
encryption key. Each user may also have health sensors mounted on his 
body, for additional security. 

25 Thus, as illustrated, every user terminal that can perform 

authentication for other terminals stores a local copy of the user 
authentication database . This database is stored in a memory 112, 122 on the 
secure side 114, 124 of a firewall 111, 121. All terminals of network i00, such 
as terminals 1 10, 120, have a firewall (e.g., Ill) where the user enters and 

30 receives data from the open side 113 and all authentication information is on 
the secure side 114. Since each terminal llOmay serve as a relay for network 
traffic for other terminals, the transmitter, receiver j and all network traffic 
are on the secure side. The terminal's secure side is protected against both 
physical and software attacks. The local copy of the" distributed user 
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authentication database stored in each terminal's memory 112 are all present 
and potential users' individual authentication encryption and decryption 
keys, which are used only for authentication, and for no other purpose. The 
distributed user authentication database is maintained autonomously by the 

5 secure side of the network 100. Any terminal with a user authentication 
database can serve as a user authentication site for one or more other 
terminals. Thus, the second user terminal can serve as a user 
authentication site 120 for first user terminal 110, which itself can serve as 
a user authentication site for terminal 120 or other terminals of network 100. 

10 Each user terminal, such as user terminal 110, has a means of 

translating the user's password to the user's individual encryption key. For 
example, user terminal 110 contains processor 117 and the above-mentioned 
encryption-key generation algorithm. User terminal 110 also has the ability 
to generaterandom numbers, and to encrypt a given message with the user's 

15 individual authentication encryption key. Thus, if the user provides a 
password to terminal 110; terminal 110 can run the encryption-key 
generation algorithm using the password as input, to generate the user's 
authentication encryption key. It can then generate a random number and 
us6 the authentication en^ encrypt the random number, to 

20 provide an encrypted ratidoin number (which is also a random number). 
The password, random number; authentication encryption key, encrypted 
messages, and received messages , can be stored by terminal 110 temporarily 
in memory 112. In some em a terminal 110 can be equipped with 

sensors to read and transmit the user's Smart Card information* health 

25 sensors, arid/or^ device, far additional security. 

In ah enibodiment, a terminal only grants access to a user who inserts 
his smart card and then enters the appropriate user ID and password. The 
user's passwo^ data are the only authentication data that 

may pass through the firewall. Terminal access is denied if the user is de- 

30 authenticated by any user authentication site. 

Terminals of network 100 are configured such that only certain 
specially-designated users have read/write access to the user authentication 
database stored in the terminal's memory 1 12. For example, in a military 
context, each soldier of a squad may have a wireless, mobile user terminal 
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1 10, and a designated communications expert of the squad may be designated 
as having the authority to have read and/or read/write access to the database 
in memory 112 of his user terminal. Other soldiers are not designated. In 
an embodiment, the user authentication database stored in a terminal's 

5 memory is destroyed (e.g., the memory is erased) under certain conditions, 
for example where a non-designated user attempts to access the database, or 
where a suspicious or non-standard attempt is made to access the database. 
The database may also be destroyed if the terminal detects a physical attack, 
e.g. opening the physical case of Hie terminal. In an embodiment, if a 

10 terminal's user is de-authenticated (fails an authentication process), the 
user authentication database residing in that terminal's memory 112 is 
destroyed. 

Also, in some embodiments, there may be provided a specific 
user/terminal detachment procedure. For example, the user/terminal 

15 detachment procedure may specify that the user has to first enter a 
detachment code, then log off, and then remove his smart card from a smart 
card port in the terminal 110. If terminal 110 detects detachment without the 
detachment procedure being followed, it destroys the user authentication 
database in memory 112. 

20 During use^ each terminal 110 is connected to the network and permits 

the authenticated user to access the network. In an embodiment, users are 
: required to wear; health sensors and: the terminal contains health sensor 
detectors that continually or periodically monitor the user's health. Thus; in 
this embodiment, if at any time diiring ia session user terminal 110 detects 

25 that the user is unable to conduct a; terminal session, based on status from 
the health sierisors (e.g. the user has been killed), this information is 
transmitted to the user authentication site 120 and the latter withdraws: 
authentication; Alternatively, terminal 110 directly withdraws 
authentication and/or removes itself from the network 100. 

30 In an embodiment, in order to maintain terminal and network access, 

the user's health sensors must indicate to terminal llO that the user is alive. 
If the health sensors indicate that the user has died, the terminal 110 detects 
this; de-authenticates the user> and automatically transmits this information 
to other user authentication sites to update the user authentication database. 
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Thus, in the present invention, because a peer-to-peer network is used, 
user terminals must also store user authentication database so they can 
function as user authentication sites. However, to prevent an unauthorized 
person who gains access to the terminal from being able to access the 
5 network or acquire the user authentication database by attacking the 
terminars memory, each terminal places all authentication information 
behind a firewall and does not in general permit its user to access this 
database. Also, a user cannot be authenticated by his terminal. He can only 
be authenticated by one or more other terminals. Thus, when a user 
10 attempts to access user terminal 110, user terminal 110 requests another 
terminal, e.g. terminal 120; to serve as a user authentication site. Also, if a 
user accesses a terminal other than the one assigned to him he must be re- 
authenticated. 

Further, in an : embodiment, re-authentication of all users is conducted 
15 periodically. For example, after some time* terminal 120 or another terminal 
may notice, e.g. from inspecting its own local copy of user the authentication 
v database, that a time out period has elapsed since the user of terminal 110 
his last been authenticated. It can then initiate the next scheduled re-? 
authentication. A re-authentication procedure may also be initiated by any 
20 terminal if it suspects that another user has been killed or captured or 
another terminal has been captured. Also, in an embodiment, if a terminal 
is detached from its user, even according to the detachment protocol, it 
removes itself from the network for further security. 

Referring now to Fig; 2, there is shown a flow chart illustrating^ ^ 
25 network user authentication protocol method 200 of network 100, in 
accordance with an embodiment of the present invention. First, a user 
initiates access of a user terminal 110 (step 201)^ if a user has 

been using a given terminal 110 for some time, after a timeout, 
authentication site 120 notifies user terminal 110 to re-authenticate the user 
30 (step 203). Authentication site 120 may also initiate re-authentication if it 
suspects that the user of terminal 110 has been killed or captured or that 
terminal 110 has been captured. Terminal 110 then notifies the user to enter 
a user ID and password, for example within a given time period (step 205). 
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In the case of re-authentication, step 205 may involve issuing an 
Authentication Warning to the user, which may be in the form of a visual, 
auditory, or skin sensation message. Also, in the case of re-authentication 
in which the user is currently engaged in a session, the terminal 110 may 
5 still have user ID stored, in which case it need only prompt the user for the 
password. 

In an embodiment, in the case of authentication of anew user, the 
user must first insert his smart card into terminal 110. In the case of re- 
authentication of a currently-authenticated user, the user is already logged 
10 onto his terminal 110 with his smart card in place. In this embodiment* the 
smart card must be in place and the information thereon read and verified 
in order to continue with or maintain authentication. In alternative 
embodiments, the authentication protocol of the present invention does not 
require a. smart card. 
15 lile user presumably will only have a password if he is an authorized 

user. Iii this case, the authorized user enters his user ID and password (step 
207), within a specified timeout^^p^ if this is required in step 205. 
Terminal 110 then generates the user's authentication encryption key by 
translating the password into the encryption-key generation 

20 algorithm (209). ever possess or even know his 

authentication encryption key[ but only his password (and ID). 

• Terminal lit) also ^herates a first random number (step 211), and 
then encrypts this random number : using the u ser's authentication 
encryption key (step 213): The user terminal then notifies the user 
25 authentication site 120 of the user's! i and transmits the encrypted 

random number to us^f authentication site 120 (step 215). In an 
(embodiment, the authentication site is notified of the user's identity by 
transmitting the user ID to the authenticationsite. The user ID is preferably 
first encrypted with the user's authentication encryption key and then the 
30 encrypted ID is transmitted to authentication site 120. Authentication site 
120 can then exhaustively decr^ received encrypted message, with every 
possible authentication decryption key, until there is produced a user ID 
which matches a valid user ID of the network (and which also matches the 
user ID of the decryption key used to successfully decrypt the message). 
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Thus, once authentication site 120 has successfully decrypted the user ID 
message, it knows the user ID and thus which authentication decryption key 
to use to decrypt subsequent encrypted messages transmitted during the 
authentication process. In an embodiment, the user terminal 10 ID is also 

5 encrypted and transmitted to authentication site 120 along with the user ID. 
In the case of re-authentication, the encrypting and sending of the user ID 
can be skipped; or, for convenience and simplicity, it can still be transmitted, 
but the authentication site 120 can in this case simply use the already- 
determined decryption key to decrypt the encrypted user ID, rather than 

10 perform an exhaustive decryption. 

After decrypting the encrypted user ID message, authentication site 
120 receives the encrypted first random number. User authentication site 120 
decrypts this message with the particular user's authentication decryption 
key, to provide the original first random number (step 217); User 

15 authentication site 120 then generates a second random number, and 
transmits it to user teniiinal 110 (step 219). In an alternative embodiment, 
an encrypted version of the second random number is transmitted to user 
terminal 110^ ii* ^hich a second encryption/decryption key pair is utilized. 
At thiis point in time, user authentication site 120 knows the identity of 

20 the user ahd/or his password, that^ user's authentication 
encryption/decryption keys (or at least the and the first and 

second r^dpin nu 

the authentication process; stores the user's password and authentication 
encryption- key. 

25 After receiving the second random number from authentication site 

>. 120, the user's terminal liO combines and encrypts both random numbers 
with the user's; authentication encryption key and transients this message to 
the user authentication site (step 22i);\\^e- : ^o?mdom numbers may be 
combined in a variety of specified ways; e.g. adding, subtracting, 

30 multiplying, concatenating strings, and so forth, so long as tlie tec 

used by user terminal 110 is known to user authentication site 120. The 
combining technique used is preferably set apriori and specified as part of the 
authentication protocol of the present invention; 
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The user authentication site 120 thus receives an encrypted message, 
which is an encrypted version of the combined two random numbers, and 
decrypts this message using the user's authentication decryption key. 
Authentication site 120 then verifies that both random numbers are correct. 

5 If so, there has been no man-in-the-middle attack. At this point, 
authentication site 120 knows the identity of the user attempting to gain 
access. If the user's identify and access authority permit network access, 
authentication site 120 authenticates the user by transmittingthe appropriate 
authentication message to terminal 110 and allowing network resources to 

10 be used by the user from user terminal 110, in accordance with the user's 
level of access authority (step 223). If the user is a new user, he is 
authenticated, or denied access if the authentication fails. In the case of re- 
autheritication, the user is re-authenticated, or authentication is withdrawn 
if the authentication fails. 

15 If the user is authentickted; and new transport and message keys are 

required, a new method of obtaining them from the terminal's clock is sent 
to terminal 110. If he is not authenticated, the user authentication site 
indicates to all other users on the network that he is de-authenticatedand all 
communications to arid from him are terminated; Termih access is also 

20/ denied. The distributed user authentication database is updated to indicate : 
the de^authentication, and every local copy is updated ^accordingly as the 
update is distributed through th6 network. 

In an embodiment,^ 
may also query user terinirikl 110 1 for Smart Card m of 

25 the user's health, and/or iris recognition information. may 
be used for additional security by authentication site 120, in step 223> in 
verifying the user's identity and ability to conduct a terminal session. 
Whether authentication fails br is successful^ the user terpunal 110 in both 
cases erases the user's password and authentication encryption key from ite 

30 memory 112 immediately after the authentication process is completed (step 
225), for extra security, even though the memory 112 rdaihtains a copy of the 
entire user authentication database: 

As will be understood, the term "user* as used herein refers to a 
person either attempting to gain access, or already having access, to the 
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network 100 via a user terminal 110. Thus a prospective user as well as one 
already authorized by an authentication process is a user. 

As will be appreciated, the authentication protocol of the present 
invention is not vulnerable to a man-in-the-middle attack. Further, 
5 authentication data security is attained by not permitting individual terminal 
users to access the authentication information residing on the secure side of 
any user terminal 110. Having another terminal, e.g. user authentication 
site 120, control access to user terminal : 110 attains terminal access and 
security. 

10 It will be understood that various changes in the details, materials, 

arid arrangements of the parts which have been described and illustrated 
above in order to explain the nature of this invention may bei made by those 
skilled in the art without departing from the principle and scope of the 
invention as recited in the following claims. 
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What is claimed is: 

1. In a peer-to-peer network (100) having a plurality of user terminals 
(110, 120), a method for authenticating a user, comprising the steps of: 

(a) storing, in a memory (112) on a secure side (114) of a first terminal 
5 (110) and in a memory (122) on a secure side (124) of a second 

terminal (120), a user authentication database; 

(b) receiving (207), at the first terminal of the network, a password 

from a user; 

(c) translating (209) the password into an authentication encryption 
10 key for the user; and 

(d) using (211-225)the authentication encryption key to authenticaitethe 

user with the second terminal serving as a user authentication 
site for the first terminal. 

15 2. The method of claim 1, wherein step (d) comprises the steps of: 

(1) generating (211), with the first terminal, a first random 

v::>^ ; number ; : .- : 

(2) encrypting (213) the first random number with y*^e-. : J 
authentication encryption key to provide a first encrypted 

20 message and transmitting (215) the first encrypted 

message from the first terminal to the user 
authentication site; 

(3) decrypting (217), at the user authentication f"inte^1^- 
encrypted first message to provide 

25 number; " 

(4) generating (219), with the user authentication site, a secpnd 
random number and transmitting the second random 
number to the first terminal; 

(5) combining and encrypting (221), with the first terminal, the 
30 first and isecbnd random numbers to provides a second , 

encrypted message and transmitting the second 
encrypted message from the first terminal to the user 
authentication site; 
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(6) decrypting (223), at the user authentication site, the 

encrypted second message to provide the combined first 
and second random numbers; 

(7) verifying that the first and second random numbers are 
5 correct; and 

(8) authenticatingthe user in accordance with said verification. 

3. The method of claim 2, comprising the further step of erasing (225) 
from the first terminal the password after the user authentication, whether 

10 the authentication is successful or not. 

4. The method of claim 2, wherein: 

step (b) comprises the further step of receiving (207), at the first 
terminal, a user ID from the user; 

15 step (d)(2) comprises the further step of encrypting the user ID with the 

authentication encryption key to provide ah encrypted user ID 
message and tr^smitting (215) the encrypted use ID message 
from the first terminal to the user authentication site; and 
step (d)(3) comprise^ step of decrypting, at the user 

20 authentication site, the encrypted user ID message with valid 

authentication deciyptipn keys until a decrypted User ID is 
produced \wMc^6'matches. a valid user ED of the network, step 
(d)(3) further comprising the step of decrypting the encrypted 
first message authentication decryption key used to v 

25 successfully decrypt the encrypted user ID message, to provide 

the first random hu^ 

5. The method of claim 2, wherein step (d)(8) comprises the step of 
authenticating (223) the user if the first and second numbers are correct and 

30 if the user has authority to access the network. 



6. The method of claim 2, further comprising the steps of reading, 
with a health sensor, the user's health status, transmitting: said health 
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status to the user authentication site, and authenticating the user in 
accordance with said health status and said verification of step (d)(7). 

7. The method of claim 2, further comprising the steps of querying, 
5 with the authentication site, the first terminal to read user information from 
a user smart card and authenticating the user in accordance with said user 
information and said verification of step (d)(7). 



8. The method of claim 1, wherein step (b) comprises the steps of: 



10 




receiving, at the first terminal, the user ID from the user. 



15 



9. The method of claim 1, comprising the further step preventing the 
iiser from accessing the secure side of the first terminal unless the user is a 
designated user. 
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FIG. 1 
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USER INITIATES ACCESS 
OF USER TERMINAL 



AUTHENTICATION SITE NOTIFIES TERMINAL 
TO RE-AUTHENTICATE AFTER TIME-OUT 



TERMINAL NOTIFIES USER TO 
ENTER USER ID AND PASSWORD 
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AUTHORIZED USER ENTERS ID & PASSWORD 
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FIG. 2 



TERMINAL TRANSLATES PASSWORD INTO 
USER AUTHENTICATION ENCRYPTION KEY 



TERMINAL GENERATES FIRST RANDOM NUMBER 



TERMINAL ENCRYPTS FIRST RANDOM NUMBER 
WITH USER AUTHENTICATION ENCRYPTION KEY 
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TERMINAL NOTIFIES USER AUTHENTICATION SITE OF USER IDENTITY AND 
TRANSMITS ENCRYPTED RANDOM NUMBER TO USER AUTHENTICATION SITE 



AUTHENTICATION SITE DECRYPTS MESSAGE WITH USER 
AUTHENTICATION DECRYPTION KEY FOR THAT USER 



AUTHENTICATION SITE GENERATES SECOND RANDOM; 
: NUMBER AND TRANSMITS IT TO TERMINAL 
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TERMINAL COMBINES AND ENCRYPTS BOTH RANDOM NUMBERS 
WITH USER AUTHENTICATION ENCRYPTION KEY AND TRANSMITS 
ENCRYPTED MESSAGE TO USER AUTHENTICATION SITE 
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user authentication site decrypts message using user 
authentication decryption key, verifies that both random 
numbers are correct, verifies user's identity and access 
Authority and authenticates user if so 



TERMINAL ERASES USER'S PASSWORD AND USER 
AUTHENTICATION ENCRYPTION KEY FROM ITS MEMORY 
WHETHER OR NOT AUTHENTICATION IS SUCCESSFUL 
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